Wednesday, January 4, 2017

UConn Law Professor Testifies Before Congress on Cybersecurity

The U.S. House of Representatives recently invited six distinguished experts, including Professor David Thaw of the University of Connecticut School of Law, to give their opinions on a possible federal law that would govern when companies are required to notify consumers of data breaches. This is the fourth time in less than decade that such a law has been discussed.

When technology expands, the law slowly grows up around it. Often this results in what subcommittee chair Lee Terry (R-Nebraska) referred to as "a patchwork of state and territory-specific statutes...[that] tend to differ from each other in many ways." This is the case for many laws governing the internet, including those that govern data breach notification requirements.

According to the National Conference of State Legislatures, there are currently forty-six state and four territorial breach notification laws; plus the Federal Health Insurance Portability and Accountability Act (HIPAA), which applies only to medical information. Because a single online breach may affect consumers from all fifty states, it is easy to see how these different and sometimes contradicting laws can be a nightmare for companies who are faced with a security breach.

According to Professor Thaw's testimony, there are several types of notification statutes with different thresholds for determining notification. One option is to require the reporting of all breaches to a central regulatory authority and allow that authority to determine notification. Another option is to have a risk of harm threshold that governs when companies must notify consumers. If the latter system is used, then there is an option to use a "negative threshold requirement" or a "positive threshold requirement." In the event of a breach, a negative threshold requirement requires a company to notify consumers only if its investigation reveals a risk of harm. The problem there is that it rewards companies for doing poor investigations. If they do not find a risk of harm, then they do not need to do anything.

According to Thaw, an overarching federal regime must incentivize thorough cybersecurity investigations. This is probably best served with a positive threshold requirement, which reverses the burden of proof. Here, the company must disprove risk of consumer harm in order to exempt itself from notification. This incentivizes a thorough investigation because that investigation could exempt the company from notification; saving it time and bad press. According to Thaw, positive threshold requirements provide a built-in layer protection for consumers because good investigations help identify vulnerabilities and increase the chances of catching bad actors.

All six experts generally approved of a federal breach notification regime, though they differed on details and priorities.

One such disagreement was over preemption. Total preemption would mean that the federal law would occupy the whole field of breach notification, overriding state laws. Kevin Richards, senior vice president of federal government affairs at the technology trade association TechAmerica, argued in favor of "uniform, preemptive standard." As did Dan Liutikas, chief legal officer of the technology vendor group CompTIA. Liutikas pointed out that "many of these state laws are in conflict with each other."

It is also possible to have partial preemption, where the Federal Government sets a minimum standard, but states would still allowed to experiment with greater protections beyond the federal minimum. Andrea Matwyshyn, an assistant professor of legal studies and business ethics at The Wharton School, said that a basic federal law was a good thing, but that it should not totally preempt state law, noting that "limiting states' rights to impose liability for information security misconduct will further erode consumer trust and damage innovation in the United States."

All things considered, federal preemption makes sense. The internet does not respect state lines and having fifty different regimes is fine for something like burglary, where at most two or three states will be involved, but when someone hacks into eHarmony and gets the name everyone’s first pet or elementary school teacher (important for unlocking people’s passwords); data belonging to people in all fifty states is often taken. How then is eHarmony supposed to respond to fifty different and sometimes contradictory regimes for when and what to report? Does it need to alert consumers of a breach? Only some consumers? For deeper discussion of how this issue affects companies, see Standing in the Breach - State Law Requirements When a Customer Data Breach Occurs, by Shane B. Hanson.

The Internet does not respect borders and any area where an incident will easily touch someone in every state is probably better off with a single regime that preempts others. Not having preemption would merely add a another set of guidelines to the stack and might result in a federal regime doing more harm than good.

Additionally, as Professor Thaw pointed out, this area is highly specialized and expensive to enforce. Many states will not be able to keep up with cybersecurity and leaving it up to them might result in duplicative efforts, wasted resources and a sheriff in Tennessee attempting to track down a sophisticated hacker using the Tandy IBM compatible that he got when he was fresh out of the academy. Thaw also noted that "this is a highly interconnected issue across the entire country" and that he "did not believe that the states have sufficient resources for enforcement."

On the flip side, a bad peremptory federal regime would basically nullify all current state-level consumer protections. And unfortunately, doing sweeping reform badly is something with which the government is rather well versed. This may be why Thaw argued in favor of a federal regime, "as long as it was done right."

Thaw advocated a more far-reaching law that would combine data breach notification with overarching cybersecurity reform and impose regulations on companies; obligating them to protect certain data, such as financial records, legal documents, corporate trade secrets, and information about critical infrastructure systems. Thaw’s research indicates that implementing breach notification legislation in conjunction with comprehensive information security is four times more effective at preventing incidents than breach notification alone. He likened doing one without the other to locking a door, but leaving a window wide open.

About Professor David Thaw:

David Thaw is a Visiting Assistant Professor at the University of Connecticut School of Law and an Affiliated Fellow of the Information Society Project at Yale Law School. David's research and scholarship examines the regulation of Internet and computing technologies, with specific focus on cybersecurity regulation and cybercrime. Prior to joining UConn, David was a Research Associate at the University of Maryland Department of Computer Science and the Maryland Cybersecurity Center. David also practiced cybersecurity and privacy regulatory law at Hogan Lovells (formerly Hogan & Hartson). For more about David Thaw, visit his website.

About Geoffrey J. Miller

Geoffrey J. Miller graduated with high honors from the University of Connecticut School of Law, where he was an associate editor of the Connecticut Law Review. Geoffrey is a practicing attorney who focuses on insurance coverage, fraud and crime coverage, cyber risk, and special event insurance.

Geoffrey is also an OCR and Ultra Runner who's competed in several ultra-distance events and at the Obstacle Course Racing World Championships in 2017.

Nothing written here should be considered legal advice, nor does use of this website form an attorney-client relationship. For a full explanation of the legal status of this site, please see our full legal disclaimer.